![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUS%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
587 questions
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
TL:DR;
- From November 8, 2022, all newly created Azure Front Door, Azure Front Door (classic) or Azure CDN Standard from Microsoft (classic) resources will block any HTTP request that exhibits domain fronting behavior.
- This means the resources created before the above date were allowing the behavior.
- Starting from January 8, 2024, we'll enforce domain fronting blocking on all existing domains (the ones created even before Nov 8, 2022)
- So, if all the above resources in your environment were created after November 8, 2022 - you will not be impacted.
To provide a summary, Refer: How does Azure Front Door handle domain git fronting behavior?
What is Domain Fronting?
Domain fronting is a technique that allows an attacker to hide the true destination of a malicious request by using a different domain name in the TLS handshake and the HTTP host header.
This networking technique enables a backend domain to utilize the security credentials of a fronting domain. For example, if you have two domains under the same content delivery network (CDN), domain #1 may have certain restrictions placed on it (regional access limitations, etc.) that domain #2 does not. By taking the valid domain #2 and placing it into the SNI header, and then using domain #1 in the HTTP header, it’s possible to circumvent those restrictions. To the outside observer, all subsequent traffic appears to be headed to the fronting domain, with no ability to discern the intended destination for particular user requests within that traffic. It is possible that the fronting domain and the backend domain do not belong to the same owner.
In what case will you be impacted by above?
If your application uses a different TLS SNI extension during the TLS negotiation from the request Host header, you should prioritize changing this behavior on your application to ensure they match. Otherwise, your application or API may be impacted by this change.
When CDN blocks a request due to a mismatch:
- The client receives an HTTP 421 Misdirected Request error code response.
- Azure CDN logs the block in the diagnostic logs under the Error Info property with the value
SSLMismatchedSNI.
- Azure CDN logs the block in the diagnostic logs under the Error Info property with the value
What if your application expects this behavior to function properly?
But based on customer feedback and security considerations, Azure Front Door and Azure CDN Standard from Microsoft (classic) have revised the domain fronting blocking restrictions effective from September 25, 2023. Instead of blocking a request when the TLS SNI extension and the host header do not match, Azure Front Door will allow the mismatch if both values are added as domains in the same Azure subscription.
You can find more information in the below thread for your reference:
So, as long as you are not doing any domain fronting by design or by accident, then there will be no impact.
Hope this helps.
Thanks, Kapil
Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.